From Microsoft Corporation
MC220224, Stay Informed, Published date: Aug 12, 2020
If you do not have users who are using the Microsoft Authenticator app on their mobile devices for two-factor authentication, you may safely ignore this message.
When this will happen
- For iOS, we are rolling this out gradually in mid-August and should be complete by the end of August.
- For Android, we are rolling this out gradually in late August and should be complete by mid-September.
How this affects your organization
The Microsoft Authenticator app can serve as a second verification method after users sign in with username and password, or it can allow sign-in without a password by using a mobile device with PIN or biometrics (fingerprint or face). App Lock keeps one-time passcodes, app information, and app settings more secure.
Currently, when a login notification arrives on the phone, users can approve or deny from the lock screen.
However, with App Lock enabled users will need to launch the app (on iOS) or launch a dialog (on Android) before they can approve/deny the request. They will also need to provide an additional PIN/biometrics gesture to successfully authenticate the login request.
What you need to do to prepare
Consider updating your user training and documentation.
- For Enterprise on-premise multi-factor authentication (MFA) notifications that already require a PIN
- The flow is unchanged. After users interact with the notification, they will need to provide their MFA PIN (not device PIN). In subsequent approvals, they will have the option to use the device bio gesture instead of the MFA PIN.
- Azure AD and MSA Phone sign-in notifications
- The flow is unchanged.
Users can go to the Settings page in the Authenticator app and return the App Lock toggle to the Off position.